Visible to the public Predicting the Difficulty of Compromise through How Attackers Discover VulnerabilitiesConflict Detection Enabled

PI(s), Co-PI(s), Researchers:

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

  • Metrics

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

Theisen, C., Munaiah, N., Al-Zyoud, M., Carver, J., Meneely, A., and Williams, L., Attack surface definitions: A systematic literature review, Information and Software Technology, Available online 27 July 2018.

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

  • To date, approaches for predicting which code artifacts are vulnerable have utilized a binary classification of code as vulnerable or not vulnerable. To better understand the strengths and weaknesses of vulnerability prediction approaches, vulnerability
    datasets with classification and severity data are needed. In this work, we used crash dump stack traces to approximate the attack surface of Mozilla Firefox. We then generated a dataset of 271 vulnerable files in Firefox, classified using the Common Weakness Enumeration (CWE) system. We use these files as an oracle for the evaluation of the attack surface generated using crash data. In the Firefox vulnerability dataset, 14 different classifications of vulnerabilities appeared at least once. In our study, 85.3% of vulnerable files were on the attack surface generated using crash data. We found no difference between the severity of vulnerabilities found on the attack surface generated using crash data and vulnerabilities not occurring on the attack surface.
  • We continued our work related to crash reports. The goal of this research is to help security analysts to mitigate difficult to discover vulnerabilities by characterizing such vulnerabilities through an analysis of crash reports. We conduct an analysis with 26,482 crashes collected from Mozilla. We answer the following research questions:

    - RQ1: Which properties of crash reports correlate with the exploitability of vulnerabilities?

    - RQ2: How does system configurations correlate with the exploitability of vulnerabilities?

    We measure discoverability by using the exploitability score provided by the National Vulnerability Database. We measure We answer RQ1 by mining crash reporting time, and quantify the correlation between discoverability of vulnerabilities and crash reporting time. We answer RQ2 by mining system configurations such as used system memory and used virtual memory. Next, we quantify the correlation between discoverability of vulnerabilities and system configurations by applying statistical analysis.

  • A systematic literature review on attack surface definitions entitled "Attack Surface Definitions: A Systematic Literature Review" was accepted for publication in the Information and Software Technology journal. This systematic literature review examines the current body of literature to determine the various definitions of the "attack surface" metaphor and determines clusters of those definitions. The phrase "attack surface" can mean many things to many people, and this study helps clarify what is intended when using the metaphor.

COMMUNITY ENGAGEMENTS

  • Laurie presented a paper on Theisen et al.'s crash dump/attack surfact work at the SecDev conference in Cambridge, MA in October 2018.
  • Andy Meneely discussed the NSA Science of Security Lablet with members of the Rochester community at the ImagineRIT festival in May 2018. He taught and demonstrated the basics of cybersecurity to the festival attendees.
  • Laurie Williams discussed the NSA Science of Security Lablet in her keynote address at the XP2018 conference in Porto, Portugal.

EDUCATIONAL ADVANCES:

  • Andy Meneely revised his presentation of attack surfaces and how they apply to risk management in the SWEN 331 Engineering Secure Software course, based on the research in this lablet. This course sees 60-80 students per academic year, and is required for all software engineering majors at RIT.